Underground hacking forums are flooded with all sorts of zero-day exploits, many of which can be used to attack millions of regular Internet users. A perfect example is the Yahoo! Mail zero-day exploit identified by journalist and security researcher Brian Krebs.According to Krebs, the details of the vulnerability are sold by an Egyptian hacker for $700 (€550). Apparently, the exploit relies on a persistent cross-site scripting (XSS) vulnerability in yahoo.com.
These types of security holes usually involve social engineering – the attacker must get a victim to click on a link – but in most cases that’s not a problem for skilled cybercriminals.
If the attack is successful, the hacker gains access to the victim’s cookies and, implicitly, his account.
In most cases, compromised Yahoo accounts are utilized to distribute malware, trick users into wiring money, and lure internauts into visiting other malicious sites.
The hacker that sells it, called TheHell, claims that the price for such an exploit is usually around $1,100 (€850) to $1,500 (€1,170). However, he emphasizes the fact that he will only sell the details to “trusted people,” to make sure that the security hole doesn’t get patched any time soon.
Krebs has notified Yahoo! representatives regarding the existence of the vulnerability. They’re currently trying to find the exact location of the flaw.
The fixing process itself is easy, as long as they can locate the precise URL.
XSS vulnerabilities are highly common these days because many website developers fail to properly filter user input. The problem is even more serious with persistent (stored) flaws because, as the Egyptian hacker highlights, they’re not blocked by the XSS filters integrated into web browsers such as Internet Explorer or Chrome.
Here is the video proof-of-concept published by the hacker (reproduced and posted on YouTube by Brian Krebs):